What You Need from DDoS Protection – The Capabilities and The Rankings

There are some instances in which any old version of something will do. Napkins for a picnic, for instance. Cat food that you’re using to lure strays to your annoying neighbor’s house. Sure, grab the no-name version, or the cheapest available option.

There are other instances, however, where only the top choice will do. Considering that DDoS attacks are an unimaginably fast way to alienate users and do long-term damage to your brand, business or reputation while also quite possibly allowing for data thefts and other malicious intrusions, DDoS protection is one of these latter instances.

Going by the rankings

The DDoS landscape has reached the point where it’s hard to imagine another day going by before your website or business is protected, so if you don’t have the time or inclination to research DDoS protection services, an easier way of finding leading mitigation is to consult the rankings.

The Forrester Wave: DDoS Mitigation Solutions, Q4 2017 report, one of the most trusted sources for technology buyers, named Imperva Incapsula the best DDoS protection, calling them a leader in DDoS mitigation services and ranking them number one in the Strategy and Current Offering categories. This opinion isn’t restricted to just the Forrester Wave, either. Imperva Incapsula was also ranked number one in DDoS protection services by business.com.

The Forrester Wave report cited Imperva Incapsula’s ability to mitigate layer 3, 4 and 7 attacks, scale, speed and ability to detect new attack types as factors in the ranking, and they are leading factors that need to be considered when assessing any potential DDoS protection service or solution. Here’s why.

A layered approach

DDoS attacks target either the network layer of the OSI model, which is layer 3/4, or the application layer, which is layer 7. Protecting against DDoS attacks means being able to mitigate both network layer and application layer attacks, which takes strikingly different strategies and solutions. While mitigating network layer attacks is a matter of brawn, requiring a huge amount of bandwidth and a scrubbing server built to deal with massive influxes of malicious traffic (see below), mitigating application layer attacks requires a brainier approach.

Instead of just walloping their targets with tremendous amounts of traffic, application layer attacks attempt to bypass security by mimicking normal user behavior. Successfully protecting against these assaults involves granular traffic inspection that is able to pick out even the most convincing bad bots and send all attack traffic to the scrubbing server before it can impact site operations. This is a process that has to include progressive challenges for activity that is suspicious but can’t immediately be classified as malicious, and it’s also a process that needs to be as subtle as it is smart to keep legitimate users from being impacted by security measures.

Scalability that beats the bad guys

Between record-breaking Internet of Things botnets and network layer attacks that are getting bigger and more persistent, your DDoS mitigation service needs to be able to go head to head with the biggest, most bruising assaults currently possible.

Network layer attacks are routinely weighing in with packet forwarding rates exceeding 50 Mpps and even 100 Mpps. Routinely. This means the scrubbing servers tasked with handling malicious traffic need to be able to handle all of that and more, because you never know when 300 Mpps could come flying your way. If a scrubbing server isn’t equipped to make at least 500 Mpps vanish into the ether of the internet, it’s not good enough. For reference, the Imperva Incapsula Behemoth 2.0 scrubbing server can handle 650+ Mpps.

The speed you need

Memorize this question, you’re going to need it: “What is your time to mitigation?” Memorize this follow-up while you’re at it: “Is that going to be a clause in our service level agreement?”

It used to be that even the biggest and burliest DDoS attacks started with a ramping up period while the botnets behind them got warmed up enough to hurl the full attack, so many professional services with always-on deployment could identify attack traffic and start diverting it before it could affect a website’s performance. However, thanks to the ingenuity of professional attackers, that ramp up period has been eliminated with a new attack type called pulse wave attacks. With a pulse wave attack, attackers use a botnet to hit one target after another, ensuring the botnet is already warmed up and needs no time to reach peak attack levels. With pulse wave attacks initially hitting at 10+ Gbps, every single second that passes before a mitigation service begins to mitigate could lead to a clogged network.

A proactive effort

If you’re going to invest in DDoS protection, then invest in DDoS protection. When you go with a company that specializes in DDoS protection, you’ll have an army of brilliant DDoS-obsessed minds not only putting up the best defense against current threats, but constantly scouring the internet for the newest and most rapidly evolving threats, often assault methods developed by professional DDoS attackers – ones that are likely to be accompanied by intrusions and data theft attempts when non-specialist security personnel are stymied by a devious DDoS attack.

When you get DDoS protection as an add-on service from an ISP or a generalized security service, you get add-on quality protection – service that’s good enough, until it isn’t. Until advanced bots fool a security solution, a network layer attack wipes out available bandwidth, or a new attack method specifically designed to outwit everything but the best, proactive DDoS protection does exactly that.

The choices we make

There are many times in life where any old something is infinitely better than nothing, or the option you went with because it was easiest or cheapest or fastest proves to be just fine. The yolk stain your discount cleaning solvent removed after your neighbor threw a dozen eggs at your fence is, of course, no reason to think a haphazardly selected mitigation service will adequately protect against the DDoS attacks flying around the internet from professional attackers, hacktivists, DDoS for hire services, vengeful business competitors and script kiddies looking to have fun at someone else’s expense. Go with a top choice or suffer the consequences.